2. Firewall is a system which is being use for
prevent unauthorized access from or to a secure
network. It’s a software, or dedicated hardware
or combination of both. According to the policies
it examines all the traffic leaving and entering in
a secure network and it blocks all the packets
which unable to follow the policy.
Software Firewall
It designed for home and small office computers
to have internet access. It detects suspicious
activities from outside.
Hardware Firewall
It’s a dedicated device; we will discuss it briefly.
3. All the Cisco routers and multilayer switches
support IOS based firewall capabilities. Even
though Cisco has fully dedicated security
Appliances too such as:-
PIX (Private Internet Exchange)
ASA (Adaptive Security Appliance)
Note:-ASA is the newest replacement for PIX
firewall.
4. 1. Packet Filtering Firewall
It works on layer 2 and 3 i.e. network and transport
layer in OSI model. Its first generation of firewall and
it works on analyzing IP address and port no.
It has so many drawbacks such as it is vulnerable to
ip spoofing and can’t determine if the packet has
malicious code.
2. Stateful Packet Filtering Firewall
It’s a second generation of firewalls. It maintains a
table of all the states of connections through it i.e.
TCP or UDP. It accepts or rejects traffic on a
connection by connection basis. Once the connection
is terminated, its entry has been deleted from the
table and data transmission is closed.
5. 3. Application Firewall
It’s the third generation firewall. It operates at
levels 3,4,5,6 and 7 (network, transport, session,
presentation and application layers) of the OSI
model. This type of firewall is more secure but
offers lowest performance.
4. Dynamic Packet Filter Firewall
This is fourth generation of firewall. It allows
security roles to be modified. Here we can use
multiple techniques to configure this firewall.
6. ASA perform different tasks on arriving packets
depending upon whether it’s a new packet or an
existing packet.
For new packet
Perform the access-list check
Perform the route look up
Allocating NAT translation(Xlate table)
Establish a session in the fast path(maintaining a TCP
connection)
For existing packet
IP checksum verification
Session lookup
TCP sequence no check
NAT translation based on existing connection(Xlate
table)
layer 3 (ip address) and layer 4 (port no) header
adjustment
7. Routed mode
Single mode (it support dynamic routing)
Multiple mode (it doesn’t support dynamic routing only static
or default routing)
Transparent mode
Cisco ASA firewall is basically a stateful firewall and there
is a concept called Security levels which is an integral part
of such firewall. There are basically three zones:-
Outside: - it’s the untrusted network. Default security level is
0(zero)
Inside: - it’s the trusted network i.e. office LAN. Default
security level 100.
DMZ: - It’s neither trusted nor untrusted. Its more secure than
outside but less secure than inside. Default is 0 but we can
assign security level anything between 0 and 100. All the
publically accessible servers such as web, e-mail servers are
needed to be place in this zone.
Note: - Higher the security level more the secure zone. By
default any packet from lower security level to higher
security level is denied. And packet from same security
levels is dropped.